Communication tunneling in application container environments

ABSTRACT

Systems, methods, and software described herein provide encryption configurations to application containers. In one example, a method of operating a management system to provide VPN configurations to application containers in an application container environment includes identifying two application containers in the application container environment for secure communication, and identifying a VPN configuration for the two application containers. The method further includes configuring the two application containers for secure communication by transferring the VPN configuration to security layers within each of the two application containers.

RELATED APPLICATIONS

This application is a continuation of, and claims the benefit of andpriority to, U.S. application Ser. No. 14/607,738, filed on Jan. 28,2015, entitled “COMMUNICATION TUNNELING IN APPLICATION CONTAINERENVIRONMENTS,” which is hereby incorporated by reference in itsentirety.

TECHNICAL FIELD

Aspects of the disclosure are related to computing security and inparticular to providing virtual private networks to applicationcontainers.

TECHNICAL BACKGROUND

An increasing number of data security threats exist in the moderncomputerized society. These threats may include viruses or other malwarethat attacks the local computer of the end user, or sophisticated cyberattacks to gather data and other information from the cloud or serverbased infrastructure. This server based infrastructure includes physicaland virtual computing devices that are used to provide a variety ofservices to user computing systems, such as data storage, cloudprocessing, web sites and services, amongst other possible services. Toprotect applications and services, various antivirus, encryption, andfirewall implementations may be used across an array of operatingsystems, such as Linux and Microsoft Windows.

Further, in some security implementations, a virtual private network(VPN) may be provided between two communicating systems. A VPN extends aprivate network across a public network, such as the internet, andenables a computer to send and receive data across shared or publicnetworks as if it is directly connected to the private network. Theadvantages to a VPN are many and include, adding additional security asif the connecting devices were connected across a private network,advanced management allowing an administrator or other managementservice to control the data and systems that connect to the VPN, amongsta variety of other benefits.

In addition to the protective measures discussed above, segregationmethods have also been pursued to limit the interaction between systemsand applications. These segregation methods include whole systemvirtualization, which includes a full operating system and one or moreapplications, as well as application containers that are used to reducedependencies on other cooperating applications. However, separating theapplications into different virtual machines or application containerscan add complexity to the security configurations for each of theexecuting applications.

OVERVIEW

Provided herein are systems, methods, and software to provide virtualprivate network (VPN) configurations to application containers. In oneexample, a method of operating a management system to provide VPNconfigurations to application containers in an application containerenvironment includes identifying a first application container and asecond application container in the application container environmentfor secure communication, and identifying a VPN configuration for thefirst application container and the second application container. Themethod further includes configuring the first application container andthe second application container for secure communication bytransferring the VPN configuration to a first security layer within thefirst application container and a second security layer within thesecond application container, wherein the first security layer acts as acommunication intermediary between a least one application within thefirst application container and at least one process or system externalto the first application container, and wherein the second securitylayer acts as a communication intermediary between at least oneapplication within the second application container and at least oneprocess or system external to the second application container.

In another instance, a computer apparatus to provide VPN configurationsto application containers includes processing instructions that direct amanagement system to identify a first application container and a secondapplication container in the application container environment forsecure communication, and identify a VPN configuration for the firstapplication container and the second application container. Theprocessing instructions further direct the management system toconfigure the first application container and the second applicationcontainer for secure communication by transferring the VPN configurationto a first security layer within the first application container and asecond security layer within the second application container, whereinthe first security layer acts as a communication intermediary between atleast one application within the first application container and atleast one process or system external to the first application container,and wherein the second security layer acts as a communicationintermediary between at least one application within the secondapplication container and at least one process or system external to thesecond application container. The computer apparatus further includesone or more non-transitory computer readable media that store theprocessing instructions.

BRIEF DESCRIPTION OF THE DRAWINGS

Many aspects of the disclosure can be better understood with referenceto the following drawings. While several implementations are describedin connection with these drawings, the disclosure is not limited to theimplementations disclosed herein. On the contrary, the intent is tocover all alternatives, modifications, and equivalents.

FIG. 1 illustrates an application container environment for configuringand executing secure application containers.

FIG. 2 illustrates a method of operating a management system to provideVPN configurations to application containers in an application containerenvironment.

FIG. 3 illustrates an overview of providing a VPN configuration toapplication containers.

FIG. 4 illustrates an overview of communicating a data object betweenapplication containers in an application container environment.

FIG. 5 illustrates an application container environment.

FIG. 6 illustrates an overview of data communications betweenapplication containers.

FIG. 7 illustrates a host computing system to provide a platform forsecure application containers.

FIG. 8 illustrates a management computing system to provide encryptionconfigurations to secure application containers.

TECHNICAL DISCLOSURE

Internet services rely extensively on security to prevent unpermittedprocesses and users from accessing sensitive data. Such data may includeusernames, passwords, social security numbers, and credit card numbers,amongst other sensitive data. To prevent the unpermitted access,firewalls, antiviruses, and other security processes may be executed onthe devices hosting the internet services. These security processes aredesigned to prevent improper access, or mitigate the effects once abreach has occurred.

In some examples, multiple applications may be necessary to providespecific services to end user devices, such as front-end applications,back-end applications, data service applications, or any otherapplication. Each of these applications are responsible for a particulartask, such as taking in and storing data, processing data that isreceived, organizing data received, or any other task necessary for theservice. These applications may be implemented on one or more computingdevices configured by an administrator to perform the associatedservice.

In the present example, application containers are provided to segregateand help secure the data as it is used within the service. Theseapplication containers, which operate on a host system, can package anapplication and its dependencies in a virtual container, and run thecontainerized applications as an isolated process in userspace on thehost operating system. An application container may comprise a Linuxcontainer, a jail, a partition, or other type of containment module, butmay also comprise a virtual machine in some examples. Accordingly,because the application does not contain any dependencies from otherapplications or files, the application is essentially segregated fromother applications and processes executing on the same computing system.

Here, in addition to the application, the container also includes asecurity layer to act as a barrier or intermediary between theapplication and other processes or data systems outside of theapplication container. This security layer may include encryption,firewall, storage interface, and communication interface modules thatcan be configured based on the application within the container.Further, the security layer may include a virtual private network (VPN)module that is capable of configuring VPN communications between theapplication container and one or more external containers and systems.

To provide the VPN configuration, a management system may be includedwithin an application container environment. This management system mayprovide the application with a variety of security configurationinformation including VPN configurations for the security layer withinthe application container. In some examples, the security configurationand VPN configuration may be included with the application containerwhen the application container is generated. However, in otherinstances, the VPN configuration may be assigned to the applicationcontainer when the application container is initiated on a hostcomputing system. For example, a front-end server application containerthat takes in and distributes data from one or more users may beinitiated within an environment with a database server applicationcontainer that stores the data from the one or more end users. As aresult, an administrator or some other management service may prefer toconfigure a VPN between the two application containers to ensure thatdata is communicated securely between the two containers. Once a VPN isdefined, the configuration may then be transferred to the applicationcontainers for implementation.

In some examples, the applications within the VPN communicatingapplications may not identify that a VPN is used in the communication.For instance, an application in the first application container mayinitiate a transfer of data to a second application in the secondapplication container. Before the data is communicated, a security layerin the first application container may identify the data communication,convert the communication to the desired VPN format, and transfer thedata to the second application container. Similarly, the secondapplication container may identify the communication, convert the datafrom the VPN format, and provide the data to the second application.Thus, neither the first application nor the second application mayidentify that a VPN was used in the communication between the twoapplications.

Referring now to FIG. 1, FIG. 1 illustrates an application containerenvironment 100 for configuring and executing secure applicationcontainers. Application container environment 100 includes applicationcontainers 130-131 and VPN management system 120. Application containers130-131 further include security layers 140-141 and applications150-151.

In operation, application containers 130-131 are generated to provide asegregated environment for applications 150-151. These applicationcontainers, which operate on a host system, package the components forapplications 150-151 and their dependencies within a virtual container,and run the containerized applications as an isolated process inuserspace on the host operating system. As illustrated in FIG. 1, eachof applications containers 130-131 includes a security layer that actsas an intermediary for data communications between applications 150-151151 and processes or systems external to application containers 130-131.Accordingly, if a data communication is received by one of applicationcontainers 130-131, the security layer may first transparently filterthe communication before being provided to the correspondingapplication.

As depicted in environment 100, each of application containers 130-131communicates with VPN management system 120. VPN management system 120is configured to identify that a secure connection is needed between twoapplication containers, and provide a VPN configuration to theapplication containers. In some examples, VPN management system 120configures the application containers when they are provisioned.Accordingly, when the container is initiated on a host system, thecontainer may be preconfigured to communicate using a VPN with anotherapplication container. In other instances, rather than provisioning theapplication container with the VPN configuration, the VPN configurationmay be dynamically assessed when the container is initiated within acontainerized environment.

To further demonstrate the configuration of security layers inapplication containers, FIG. 2 is provided. FIG. 2 illustrates a method200 of operating a management system, such as VPN management system 120,to provide VPN configurations to application containers in anapplication container environment. Initially, the management systemidentities two application containers in an application containerenvironment for secure communications (201). Once the applicationcontainers are identified, the method further identifies a VPNconfiguration for the two application containers (202). This VPNconfiguration information may include authentication information,encapsulation or tunneling formatting information, amongst other VPNinformation. Once the VPN configuration is determined for theapplication containers, the method configures the two applicationcontainers for secure communication by transferring the VPNconfiguration to security layers within each of the two applicationcontainers (203).

As illustrated in FIG. 1, security layers 140-141 are used to act as anintermediary for communications between applications 150-151 andprocesses or systems external to application containers 130-131. As aresult, in some examples, VPN management system 120 may configureapplication container 130 to communicate with application container 131using an identified VPN configuration. However, in situations where thesecurity of the data is less important, no VPN configuration may bepassed to the application container. Accordingly, rather than using aVPN configuration or tunneling to pass data between the two containers,the containers may address data to one another using the public InternetProtocol (IP) address assigned to the container.

Further, it should be understood that each application container mighthave a plurality of VPNs provided for tunneling data between multipleapplication containers. Thus, as an example, application container 130may have a first VPN configuration for data communications withapplication container 131, but may have an entirely separate VPNconfiguration for communications with another application container orsystem.

In some examples, the VPN configuration that is provided for theapplication containers is transparent to the applications executingwithin the application containers. For example, the applications withinthe container may identify the application at the opposite end of thecommunication, but will not identify that a VPN is used to connect thetwo applications. Accordingly, when data is communicated from a firstapplication within a first application container to a second applicationin a second application container, a first security layer in the firstapplication container may identify the communication, transparentlyconvert the communication to a VPN format, and transfer thecommunication to a second application container using the VPN.Similarly, a security layer in the second application container mayremove the data from the VPN format and provide the data to the secondapplication as if the VPN were no used in the communication from thefirst application to the second application.

Turning to FIG. 3, FIG. 3 illustrates an overview 300 of providing a VPNconfiguration to application containers according to one example.Overview 300 includes application containers 310-311, and managementsystem 340, which is an example of VPN management systems 120.Application containers 310-311 further include security layers 320-321and applications 330-331.

In operation, application containers 310-311 may he deployed within anapplication container environment to perform specific tasks within theenvironment. For example, application container 310 may comprise afront-end server application container, whereas application container311 may comprise a database application container. As a result of theconfiguration within the containerized environment, applicationcontainers 310-311 may require a VPN configuration to provide securecommunications between the application containers. As provided in FIG.3, management system 340 is used to provide the VPN configuration toapplication containers 310-311. In particular, management system 340 isconfigured identify that the two containers require a securecommunication path, and responsively, transfer a VPN configuration toeach of the containers to allow the containers to communicate via a VPNtunnel. This VPN configuration may include authentication informationfor the containers in the VPN, tunneling format information for the VPN,amongst other possible VPN configuration information.

In some examples, management system 340 may identify the applicationcontainers via an administrator that, using a user interface, indicatesthe application containers that require the secure communication path.In other instances, management system 340 may base the VPN configurationon the applications within the application containers, or the type ofdata that is being communicated between each of the applicationcontainers. For example, application containers that transfer sensitiveinformation, such as social security or credit card, numbers may need asecure communication link to prevent improper access to the data.Accordingly, management system 340 may identify the needs of theapplication containers and provide the application containers with a VPNconfiguration based on the requisite needs.

Once application containers 310-311 are configured with the VPN, anydata that is to be transferred between the two containers is sent overthe VPN to maintain the security of the information. As a result,security layers 320-321 may not identify the data that is beingtransmitted between the application containers, but rather is concernedabout the source and destination for the data. Consequently, althoughsome data communicated between application containers 310-311 may notneed to be secured, all the data that is passed between the containersmay be transferred using the VPN tunnel.

To further demonstrate the VPN tunneling between application containers,FIG. 4 is provided. FIG. 4 illustrates an overview 400 of communicatinga data object between application containers in an application containerenvironment, according to one example. Overview 400 includes applicationcontainers 410-411, which further include security layers 420-421, andapplications 430-431.

As described in FIG. 1-3, a management system may be used to provide theapplication containers with VPN configurations based on the securityrequirements of the application containers. Here, application containers410-411 have implemented a VPN configuration capable of tunneling datafrom application 430 to application 431. A VPN tunnel allows traffic tobe encrypted from application container 410, and transferred via ananonymous IP address to application container 411. Accordingly,tunneling may provide two levels of security. The first is that all datathat is transmitted across the tunnel may be encrypted and can only bedecrypted by the security layer at the other end of the tunnel. Second,by providing an anonymous IP address the destination of the data may bekept secure from malicious or unwanted machines or persons.

As illustrated in FIG. 4, data object 440 is to be transferred fromapplication 430 to be received by application 431. Rather than changingthe code of the application within container, security layer 420 allowsdata being transferred from or received by the application container tobe modified, redirected, or reformatted without modifying the processeswithin the application. Accordingly, when data object 440 is to betransferred to application 431, the VPN configuration in security layer420 transparently identifies the destination application or applicationcontainer, encapsulates data object 440 within one or more packets to bedelivered to application container 411, and transfers the packets usingan anonymous VPN tunnel.

Once the data packets arrive at application container 411, securitylayer 421 de-encapsulates data object 440 from the data packets, andprovides the object to application 431. Thus, although applications430-431 are not modified when they are placed within the container, thedata communications between the two applications may be encrypted andmade anonymous using the VPN connection provided by the managementservice.

Turning to FIG. 5, FIG. 5 illustrates an application containerenvironment 500. Application environment 500 includes host computingsystems 501-502 and management system 550. Host computing systems501-502 further include operating systems 510-511, and applicationcontainers 521-524. Application containers 521-524 further includesapplications 521-534 and security layers 541-544. Management systemcommunicates with host computing systems 501-502 over communicationlinks 570-571. Host computing system 501 communicates with hostcomputing system 502 over communication link 572.

In operation, application containers 521-524 are initiated on hostcomputing systems 501-502 to perform specific tasks. In particular, eachof application containers 521-524 includes a distinct application, and asecurity layer to act as an intermediary for data communications betweenthe application, and processes, computing systems, and storage systemsexternal to the application. In some examples, security layers 541-544may include VPN modules to implement VPN tunneling between applicationcontainers and other systems.

As illustrated in the present example, host computing system 501-502 arecommunicatively coupled to management system 550. Management system 550identifies application containers for secure communication, andidentifies a VPN configuration for the application containers. This VPNconfiguration may be based on the applications within the containers,the type of data that is communicated between the two containers,specifications provided by an administrator, or any other securityreason for communication between the application containers. Once theVPN configuration is identified, the configuration is then passed to theappropriate application containers to be implemented.

As an illustrated example, application containers 521 may require asecure communication path to communicate with application container 522.Accordingly, management system 550 will identify this requirement,identify a VPN tunneling configuration for the two applicationcontainers, and transfer the configuration to the applicationcontainers. Once received, security layers 541-542 may implement the VPNconfiguration and use the configuration to communicate data between thetwo application containers. Thus, although each application container521-522 may include a public IP address that is used for communicationwith other containers, an anonymous IP address may be used to tunnelcommunications between the particular containers. For instance, ifapplication 531 attempted to send a data object to application 532,security layer 541 may identify the destination for the data object,encrypt the data object using the VPN configuration from managementsystem 550, and transfer the data to container 522 using the VPNconfiguration. Again, using the configuration from management system550, security layer 542 may be used to receive the data object, andprovide the object to application 532.

Referring to elements of application container environment 500, hostcomputing system 501-502 and management system 550 may comprise anydevice or system of devices capable of operating as described herein.Host computing systems 501-502 and management system 550 may eachcomprise processing systems, storage systems, communication interfaces,user interfaces, power supplies, or any other computer related system.Although illustrated as separate in the present example, it should beunderstood that management system 550 might reside wholly or partiallyon host computing systems 501-502.

Communication links 570-572 each use metal glass, optical, air, space,or some other material as the transport media. Communication links570-572 may use Time Division Multiplex (TDM), asynchronous transfermode (ATM), IP, Ethernet, synchronous optical networking (SONET), hybridfiber-coax (HFC), circuit-switched, communication signaling, wirelesscommunications, or some other communication format, includingimprovements thereof. Communication links 570-572 may each be a directlink, or can include intermediate networks, systems, or devices, and caninclude a logical network link transported over multiple physical links.

Turning to FIG. 6, FIG. 6 illustrates an overview 600 of datacommunications between application containers. Overview 600 includesapplication containers 601-603, which further include security layers610-612 and applications 620-622. When deployed within one or more hostcomputing systems security layers 610-612 are configured to act ascommunication intermediaries between applications 620-621 and externalprocesses, computing systems and data systems.

As illustrated in FIG. 6, security layers 610-612 may be configuredbased on the requirements for the application environment. For example,if application 620 comprised a front-end server application, securitylayer 610 may be configured based on the requirements for thisapplication. Similarly, if application 621 comprised a back-end dataprocessing application, security layer 611 may be configured based onthe requirements for application 621. In some examples, applicationcontainers 601-603 may be configured to communicate with a managementsystem to retrieve configuration parameters for security layers 610-612.Accordingly, when the application containers are initiated on a hostcomputing system, the containers may query the management system for atleast a VPN tunneling configuration. The VPN configuration that isreturned to each of the application containers may be based on the typeof application for the container, the type of data handled by theapplication, may be assigned by an administrator, or may be determinedby any other similar means.

As illustrated in the present example, two VPN tunnels are configuredbetween application container 601 and application container 603, andbetween application containers 602 and application container 603. As aresult of this configuration, when data needs to be transferred betweenapplication container 601 and application container 603, the data willbe sent using the VPN tunnel rather than addressing the applicationcontainer directly. This VPN tunnel may allow two application containersto pass data using anonymous IP addresses, encrypt the data passedbetween the application containers, or provide other similar securitymeasures for the data. Accordingly, sensitive data that is transferredbetween the two applications may be more secure than using the standardIP communication path for the containers.

In some examples, such as illustrated with application container 603,more than one VPN tunnel may be applied via the VPN configurations.Accordingly, any data that is transferred by container container 601 tocontainer 603 may be processed using a first VPN tunnel configurationbetween the two container endpoints, whereas a second VPN tunnelconfiguration may be used to communicate data between applicationcontainer 602 and application container 603. For example, if applicationcontainer 603 comprised a database server, tunnels may be createdbetween each of the applications that require access to the dataaccessible by application 621. Accordingly, when data objects arerequired for application 620 and application 622, the data may betransferred to the corresponding application and container using theappropriate VPN configuration for the application container.

In addition to the tunnels for communications, in some examples,application containers may directly address one another using the publicIP address assigned to each of the application containers. Thus somedata communications from an application container may be configured topass through secure tunnels, where as other data communications may passthrough less secure links.

FIG. 7 illustrates a host computing system 700 to provide a platform forsecure application containers. Host computing system 700 isrepresentative of a computing system that may he employed in anycomputing apparatus, system, or device, or collections thereof, tosuitably implement the host computing systems described herein capableof providing a platform for secure application containers. Computingsystem 700 comprises communication interface 701, user interface 702,and processing system 703. Processing system 703 is linked tocommunication interface 701 and user interface 702. Processing system703 includes processing circuitry 705 and memory device 706 that storesoperating software 707.

Communication interface 701 comprises components that communicate overcommunication links, such as network cards, ports, RF transceivers,processing circuitry and software, or some other communication devices.Communication interface 701 may be configured to communicate overmetallic, wireless, or optical links. Communication interface 701 may beconfigured to use TDM, Internet Protocol (IP), Ethernet, opticalnetworking, wireless protocols, communication signaling, or some othercommunication format—including combinations thereof. In some examples,communication interface 701 may be configured to communicate with amanagement system or apparatus to configure application containers fortunneled VPN communication.

User interface 702 comprises components that interact with a user. Userinterface 702 may include a keyboard, display screen, mouse, touch pad,or some other user input/output apparatus. User interface 702 may beomitted in some examples.

Processing circuitry 705 comprises microprocessor and other circuitrythat retrieves and executes operating software 707 from memory device706. Memory device 706 comprises a non-transitory storage medium, suchas a disk drive, flash drive, data storage circuitry, or some othermemory apparatus. Operating software 707 comprises computer programs,firmware, or some other form of machine-readable processinginstructions. Operating software 707 includes secure applicationcontainers 708-709, which each includes one or more applications and asecurity layer. Operating software 707 may further include an operatingsystem, utilities, drivers, network interfaces, applications, or someother type of software. When executed by circuitry 705, operatingsoftware 707 directs processing system 703 to operate host computingsystem 700 as described herein.

In particular, host computing system 700 comprises software and otherprocessing elements capable of providing a platform for secureapplication containers 708-709. Application containers 708-709 includean application specified by an administrator or some other managementprocess, and further include a security layer that may act as anintermediary between the containerized application, and processes ordata storage external to the application container. Specifically, theapplication containers rely on the operating system kernel functionalityto provide resource isolation for the host computing elements, such asthe processing unit, memory, block input/output, network, and othersimilar elements. Accordingly, the security layer and the applicationmay execute without acknowledging other processes on the same hostcomputing system. Each application container may comprise a Linuxcontainer, a jail, a partition, or other type of containment module, butmay also comprise a virtual machine in some examples.

Here, the security layer within each of the application containers maybe configured with a VPN configuration from a management system. Thisconfiguration may occur when the application containers are provisioned,or when the containers are initiated on the host computing system. ThisVPN configuration allows the application container to communicatesensitive data to other application containers and systems using atunnel that provides security to communications communicated across thetunnel. For example, application container 708 may be configured tocommunicate highly sensitive information with application container 709.Accordingly, the management system may configure the applicationcontainers to communicate using a VPN tunnel. The VPN tunnel allows aprivate communication path to be established between the twocommunicating application containers.

FIG. 8 illustrates a management computing system 800 to provideencryption configurations to secure application containers. Managementcomputing system 800 is representative of a computing system that may beemployed in any computing apparatus, system, or device, or collectionsthereof, to suitably implement the management systems described hereincapable of identifying and transferring VPN configurations toapplication containers. Computing system 800 comprises communicationinterface 801, user interface 802, and processing system 803. Processingsystem 803 is linked to communication interface 801 and user interface802. Processing system 803 includes processing circuitry 805 and memorydevice 806 that stores operating software 807.

Communication interface 801 comprises components that communicate overcommunication links, such as network cards, ports, RF transceivers,processing circuitry and software, or some other communication devices.Communication interface 801 may be configured to communicate overmetallic, wireless, or optical links. Communication interface 801 may beconfigured to use TDM, Internet Protocol (IP), Ethernet, opticalnetworking, wireless protocols, communication signaling, or some othercommunication format—including combinations thereof, In some examples,communication interface 801 is configured to communicate with one ormore host computing devices to provide the VPN configurations toapplication containers operating thereon.

User interface 802 comprises components that interact with a user. Userinterface 802 may include a keyboard, display screen, mouse, touch pad,or some other user input/output apparatus. User interface 802 may beomitted in some examples. In some examples, user interface 802 isconfigured to receive user specifications or preferences regarding VPNconfigurations for the application containers. In particular, the usermay specify the particular application containers, the VPNconfiguration, or any other related information to VPN configuration.

Processing circuitry 805 comprises microprocessor and other circuitrythat retrieves and executes operating software 807 from memory device806. Memory device 806 comprises a non-transitory storage medium, suchas a disk drive, flash drive, data storage circuitry, or some othermemory apparatus. Operating software 807 comprises computer programs,firmware, or some other form of mach e-readable processing instructions,Operating software 807 includes identify module 808 and configure module809, although any number of software modules may provide the samefunctionality. Operating software 807 may further include an operatingsystem, utilities, drivers, network interfaces, applications, or someother type of software. When executed by circuitry 805, operatingsoftware 807 directs processing system 803 to operate managementcomputing system 800 as described herein.

In particular, identify module 808 is configured to, when executed bycomputing system 800, identify two application containers in anapplication container environment for secure communication. In someexamples, these containers may be identified when the containers areprovisioned. Thus, as soon as the application container is generated itmay include the appropriate VPN configuration. In other instances, theapplication containers may be identified when the containers areinstantiated on one or more hosts in the environment. Accordingly, wheninstantiated, a module within each of the application containers maycontact management computing system 800, wherein management system 800will then identify the application containers necessary for securecommunication.

Once the containers are identified, identify module 808 identifies a VPNconfiguration for the two application containers. In response toidentifying the configuration, configure module 809, configures the twoapplication containers for secure communication by transferring the VPNconfiguration to security layers within each of the two applicationcontainers. As described above, in some examples, this transfer mayoccur when the application containers are being provisioned. However, inother instances, the VPN configuration may be provided to theapplication container when the container is initiated on a hostcomputing system.

By transferring the VPN configurations to the application containers, asecurity module within each of the application containers is allowed toimplement the configuration. Accordingly, the security layer may act asa transparent intermediary between the containerized application, andprocesses and storage systems external to the application container.Specifically, by implementing the VPN configuration, any data that ispassed between the two identified applications in separate containersmay be transferred using a tunnel that provides security and apeer-to-peer path between the containers.

The included descriptions and figures depict specific implementations toteach those skilled in the art how to make and use the best option. Forthe purpose of teaching inventive principles, some conventional aspectshave been simplified or omitted. Those skilled in the art willappreciate variations from these implementations that fall within thescope of the invention. Those skilled in the art will also appreciatethat the features described above can be combined in various ways toform multiple implementations. As a result, the invention is not limitedto the specific implementations described above, but only by the claimsand their equivalents.

What is claimed is:
 1. A computing apparatus comprising: one or morenon-transitory computer readable storage media; a processing systemcommunicatively coupled to the non-transitory computer readable storagemedia; and processing instructions stored on the one or morenon-transitory computer readable storage media to provide virtualprivate network (VPN) configurations to application containers that,when read and executed by the processing system, direct the processingsystem to: identify a first application container and a secondapplication container in the application container environment forsecure communication, wherein the first application container executesusing resource isolation provided by an operating system for the firstapplication container, and wherein the second application containerexecutes using resource isolation provided by an operating system forthe second application container; identify a VPN configuration for thefirst application container and the second application container; andconfigure the first application container and the second applicationcontainer for secure communication by transferring the VPN configurationto a first security layer within the first application container and asecond security layer within the second application container, whereinthe first security layer acts as a communication intermediary between atleast one application within the first application container and atleast one application in the second application container, and whereinthe second security layer acts as a communication intermediary betweenthe at least one application within the second application container andthe at least one application in the first application container.
 2. Thecomputer apparatus of claim 1 wherein the application containerenvironment comprises a web service environment configured to provide aweb service to one or more end user devices.
 3. The computer apparatusof claim 11 wherein the processing instructions to identify the firstapplication container and the second application container in theapplication container environment for secure communication direct themanagement system to: receive a configuration request from at least oneof the first application container or the second application container;and in response to receiving the configuration request, identify thefirst application container and the second application container in theapplication container environment for secure communication.
 4. Thecomputer apparatus of claim 1 wherein the processing instructions toidentify the first application container and the second applicationcontainer in the application container environment for securecommunication direct the management system to identify user inputdefining the first application container and the second applicationcontainer in the application container environment for securecommunication.
 5. The computer apparatus of claim 1 wherein theprocessing instructions to identify the first application container andthe second application container in the application containerenvironment for secure communication direct the management system toidentify applications within the first application container and thesecond application container for secure communication.
 6. The computerapparatus of claim 1 wherein the processing instructions to identify theVPN configuration for the first application container and the secondapplication container direct the management system to identify the VPNconfiguration for the first application container and the secondapplication container based on user defined preferences.
 7. The computerapparatus of claim 1 wherein the processing instructions to identify theVPN configuration for the first application container and the secondapplication container direct the management system to identify the VPNconfiguration for the first application container and the secondapplication container based on security requirements for the at leastone application within the first application container and the at leastone application within the second application container.
 8. The computerapparatus of claim 1 wherein the first application container and thesecond application container each comprise a Linux container.
 9. Thecomputer apparatus of claim 1 wherein the first application containerand the second application container each comprise a jail.
 10. A methodof operating a management system to provide virtual private network(VPN) configurations to application containers in an applicationcontainer environment, the method comprising: identifying a firstapplication container and a second application container in theapplication container environment for secure communication, wherein thefirst application container executes using resource isolation providedby an operating system for the first application container, and whereinthe second application container executes using resource isolationprovided by an operating system for the second application container;identifying a VPN configuration for the first application container andthe second application container; and configuring the first applicationcontainer and the second application container for secure communicationby transferring the VPN configuration to a first security layer withinthe first application container and a second security layer within thesecond application container, wherein the first security layer acts as acommunication intermediary between at least one application within thefirst application container and at least one application in the secondapplication container, and wherein the second security layer acts as acommunication intermediary between the at least one application withinthe second application container and the at least one application in thefirst application container.
 11. The method of claim 10 wherein theapplication container environment comprises a web service environmentconfigured to provide a web service to one or more end user devices. 12.The method of claim 10 wherein identifying the first applicationcontainer and the second application container in the applicationcontainer environment for secure communication comprises: receiving aconfiguration request from at least one of the first applicationcontainer or the second application container; and in response toreceiving the configuration request, identifying the first applicationcontainer and the second application container in the applicationcontainer environment for secure communication.
 13. The method of claim10 wherein identifying the first application container and the secondapplication container in the application container environment forsecure communication comprises identifying user input defining the firstapplication container and the second application container in theapplication container environment for secure communication.
 14. Themethod of claim 10 wherein identifying the first application containerand the second application container in the application containerenvironment for secure communication comprises identifying applicationswithin the first application container and the second applicationcontainer for secure communication.
 15. The method of claim 10 whereinconfiguring the first application container and the second applicationcontainer for secure communication by transferring the VPN configurationto the first security layer within the first application container andthe second security layer within the second application containercomprises configuring the first application container and the secondapplication container for secure communication by provisioning the firstapplication container and the second application container with the VPNconfiguration for the first security layer within the first applicationcontainer and the second security layer within the second applicationcontainer.
 16. The method of claim 10 wherein identifying the VPNconfiguration for the first application container and the secondapplication container comprises identifying the VPN configuration forthe first application container and the second application containerbased on user defined preferences.
 17. The method of claim 10 whereinidentifying the VPN configuration for the first application containerand the second application container comprises identifying the VPNconfiguration for the first application container and the secondapplication container based on security requirements for the at leastone application within the first application container and the at leastone application within the second application container.
 18. The methodof claim 10 wherein the first application container and the secondapplication container each comprise a Linux container.
 19. The method ofclaim 10 wherein the first application container and the secondapplication container each comprise a jail.